Dropbox: A Privacy Black Box

A colleague apparently suggested that the nice people at Dropbox should email me with an invitation to use their services. The concept appears simple enough—remote storage that makes users’ files available on any laptop, desktop, or phone.

I was intrigued by it because it’s a discrete example of a “cloud” computing service. How do they handle some of the key privacy challenges? A cloud over remote computing and storage is the likelihood that governments will use it to discover private information with dubious legal justification, or without any at all. (Businesses likewise can rightly worry that competitors working with governments might access trade secrets.)

Well, it turns out they don’t handle these challenges. Dropbox is a privacy black box.

I homed right in on their “Policies” page, looking for assurance that they would protect the legal rights of users to control information placed in the care of their service. There’s precious little to be found.

There’s no promise that they would limit information they share with authorities to what is required by valid legal process. There’s no promise that they would notify users of a warrant or subpoena. They do reserve the right to monitor access and use of their site “to comply with applicable law or the order or requirement of a court, administrative agency or other governmental body.”

Is there protection in the fact that files are stored encrypted on their service? The site—though not the terms of service—says “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” Not if Dropbox is willing to monitor the use of the site on behalf of law enforcement. They can simply gather your password and hand it over.

National Security Letter authority and the impoverished “third party doctrine” in Fourth Amendment law puts cloud-user privacy on pretty weak footing. Dropbox’s policies do nothing to shore that up. It’s not alone, of course. It’s just a nice discrete example of how “the cloud” exposes your data to risks that local storage doesn’t.

There are a few other problems with it. They don’t promise to notify users directly of changes to the privacy policy. (“[W]e will notify you of any material changes by posting the new Privacy Policy on the Site…”) And they reserve the right to change their terms of service any time—without giving you the right to access and remove your files. When they decide to make their free service a paid service, they could hold your files hostage unless you sign up for x years. Data liberation is an important term of services like this.

Golly, even as I’ve been writing this, friends have tweeted that they like Dropbox. It sounds like a fine service for what it is. I just wouldn’t put anything on there that you wanted to keep private or that you really wanted to be sure you could access.

Jim Harper / Jim is the Director of Information Policy Studies at The Cato Institute, the Editor of Web-based privacy think-tank Privacilla.org, and the Webmaster of WashingtonWatch.com. Prior to becoming a policy analyst, Jim served as counsel to committees in both the House and Senate.